Analysis
-
max time kernel
191s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2022 23:41
Static task
static1
Behavioral task
behavioral1
Sample
2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe
Resource
win10v2004-20220812-en
General
-
Target
2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe
-
Size
265KB
-
MD5
651d5e0fa9831d092405b3ba6df39630
-
SHA1
520b5f8065faf48f5be9cd12b6790a5d08f24a30
-
SHA256
2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44
-
SHA512
2b27f11458d71210cd119eb879ec5280a5711bb379c9d8eb28d39892ed007c2f0e92dcb18234b581111a81abd2c1ceb98cccac6bf15b57bef784b237c7e2507f
-
SSDEEP
6144:lz+92mhAMJ/cPl3it8jT1cACTfgjdkA3Hj+6iTHpK1MiIa+HzS:lK2mhAMJ/cPlAK1kfgjdkA30K1MigH+
Malware Config
Extracted
njrat
0.6.4
H
tmeemwtr68.no-ip.biz:1168
8fec47ea2031d7c684beb0d0a36361b8
-
reg_key
8fec47ea2031d7c684beb0d0a36361b8
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
2.2.exe2.2.exewinlogon.exewinlogon.exepid process 748 2.2.exe 3088 2.2.exe 2616 winlogon.exe 2160 winlogon.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2.2.exe2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2.2.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8fec47ea2031d7c684beb0d0a36361b8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .." winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8fec47ea2031d7c684beb0d0a36361b8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe\" .." winlogon.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2.2.exewinlogon.exedescription pid process target process PID 748 set thread context of 3088 748 2.2.exe 2.2.exe PID 2616 set thread context of 2160 2616 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2.2.exewinlogon.exewinlogon.exedescription pid process Token: SeDebugPrivilege 748 2.2.exe Token: SeDebugPrivilege 2616 winlogon.exe Token: SeDebugPrivilege 2160 winlogon.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe2.2.exe2.2.exewinlogon.exewinlogon.exedescription pid process target process PID 4652 wrote to memory of 748 4652 2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe 2.2.exe PID 4652 wrote to memory of 748 4652 2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe 2.2.exe PID 4652 wrote to memory of 748 4652 2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe 2.2.exe PID 748 wrote to memory of 3088 748 2.2.exe 2.2.exe PID 748 wrote to memory of 3088 748 2.2.exe 2.2.exe PID 748 wrote to memory of 3088 748 2.2.exe 2.2.exe PID 748 wrote to memory of 3088 748 2.2.exe 2.2.exe PID 748 wrote to memory of 3088 748 2.2.exe 2.2.exe PID 3088 wrote to memory of 2616 3088 2.2.exe winlogon.exe PID 3088 wrote to memory of 2616 3088 2.2.exe winlogon.exe PID 3088 wrote to memory of 2616 3088 2.2.exe winlogon.exe PID 2616 wrote to memory of 2160 2616 winlogon.exe winlogon.exe PID 2616 wrote to memory of 2160 2616 winlogon.exe winlogon.exe PID 2616 wrote to memory of 2160 2616 winlogon.exe winlogon.exe PID 2616 wrote to memory of 2160 2616 winlogon.exe winlogon.exe PID 2616 wrote to memory of 2160 2616 winlogon.exe winlogon.exe PID 2160 wrote to memory of 3376 2160 winlogon.exe netsh.exe PID 2160 wrote to memory of 3376 2160 winlogon.exe netsh.exe PID 2160 wrote to memory of 3376 2160 winlogon.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe"C:\Users\Admin\AppData\Local\Temp\2e9f3938406a55b2c4d7f260df0bcc1bd4824d762a6864332c2ab40256cdeb44.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\2.2.exe"C:\2.2.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\2.2.exeC:\2.2.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winlogon.exe"C:\Users\Admin\AppData\Roaming\winlogon.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winlogon.exeC:\Users\Admin\AppData\Roaming\winlogon.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE6⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\2.2.exeFilesize
358KB
MD5f6a7b89889b271060d09088fb033d117
SHA14d60cc74a57ebe6740777ae0f3018c7c2128d79a
SHA2567f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940
SHA512b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169
-
C:\2.2.exeFilesize
358KB
MD5f6a7b89889b271060d09088fb033d117
SHA14d60cc74a57ebe6740777ae0f3018c7c2128d79a
SHA2567f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940
SHA512b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169
-
C:\2.2.exeFilesize
358KB
MD5f6a7b89889b271060d09088fb033d117
SHA14d60cc74a57ebe6740777ae0f3018c7c2128d79a
SHA2567f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940
SHA512b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.2.exe.logFilesize
418B
MD589c8a5340eb284f551067d44e27ae8dd
SHA1d2431ae25a1ab67762a5125574f046f4c951d297
SHA25673ca1f27b1c153e3405856ebe8b3c6cdd23424d2ab09c0fe1eb0e2075513057b
SHA512b101ac2e008bd3cc6f97fedb97b8253fb07fed1c334629ecbebe0f4942ccc1070491cddc4daea521164543b6f97ba9b99d2be1c50cc5a013f04e697fea9dbdac
-
C:\Users\Admin\AppData\Roaming\winlogon.exeFilesize
358KB
MD5f6a7b89889b271060d09088fb033d117
SHA14d60cc74a57ebe6740777ae0f3018c7c2128d79a
SHA2567f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940
SHA512b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169
-
C:\Users\Admin\AppData\Roaming\winlogon.exeFilesize
358KB
MD5f6a7b89889b271060d09088fb033d117
SHA14d60cc74a57ebe6740777ae0f3018c7c2128d79a
SHA2567f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940
SHA512b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169
-
C:\Users\Admin\AppData\Roaming\winlogon.exeFilesize
358KB
MD5f6a7b89889b271060d09088fb033d117
SHA14d60cc74a57ebe6740777ae0f3018c7c2128d79a
SHA2567f7351382ad6ffd823dc455a9e97e6eb6efb909def51fec64b73d33f77ad0940
SHA512b477b08c6c42f04a5d846ebd573bed10fbdd963e54dd7d69dc12f3040542ecf0fbe35df1c1c41e9788c8bafb8d9789148a604be6adc1053c4c72885b408b3169
-
memory/748-136-0x0000000000EB0000-0x0000000000F10000-memory.dmpFilesize
384KB
-
memory/748-140-0x0000000007EE0000-0x0000000007F7C000-memory.dmpFilesize
624KB
-
memory/748-139-0x0000000005800000-0x000000000580A000-memory.dmpFilesize
40KB
-
memory/748-138-0x0000000005810000-0x00000000058A2000-memory.dmpFilesize
584KB
-
memory/748-137-0x0000000005D20000-0x00000000062C4000-memory.dmpFilesize
5.6MB
-
memory/748-133-0x0000000000000000-mapping.dmp
-
memory/2160-147-0x0000000000000000-mapping.dmp
-
memory/2616-144-0x0000000000000000-mapping.dmp
-
memory/3088-142-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3088-141-0x0000000000000000-mapping.dmp
-
memory/3376-150-0x0000000000000000-mapping.dmp